-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #8049 from noxiouz/feature/optional_tls
Add optional TLS feature to gRPC servers
- Loading branch information
Showing
5 changed files
with
280 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
/* | ||
Copyright 2019 The Vitess Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
package grpcoptionaltls | ||
|
||
import ( | ||
"bytes" | ||
"io" | ||
"net" | ||
) | ||
|
||
// WrappedConn imitates MSG_PEEK behaviour | ||
// Unlike net.Conn is not thread-safe for reading already peeked bytes | ||
type WrappedConn struct { | ||
net.Conn | ||
rd io.Reader | ||
} | ||
|
||
func NewWrappedConn(conn net.Conn, peeked []byte) net.Conn { | ||
var rd = io.MultiReader(bytes.NewReader(peeked), conn) | ||
return &WrappedConn{ | ||
Conn: conn, | ||
rd: rd, | ||
} | ||
} | ||
|
||
func (wc *WrappedConn) Read(b []byte) (n int, err error) { | ||
return wc.rd.Read(b) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
Copyright 2019 The Vitess Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
package grpcoptionaltls | ||
|
||
import ( | ||
"net" | ||
|
||
"google.golang.org/grpc/credentials" | ||
) | ||
|
||
type optionalTLSCreds struct { | ||
credentials.TransportCredentials | ||
} | ||
|
||
func (c *optionalTLSCreds) Clone() credentials.TransportCredentials { | ||
return New(c.TransportCredentials.Clone()) | ||
} | ||
|
||
func (c *optionalTLSCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) { | ||
isTLS, bytes, err := DetectTLS(conn) | ||
if err != nil { | ||
conn.Close() | ||
return nil, nil, err | ||
} | ||
|
||
var wc net.Conn = NewWrappedConn(conn, bytes) | ||
if isTLS { | ||
return c.TransportCredentials.ServerHandshake(wc) | ||
} | ||
|
||
var authInfo = info{ | ||
CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity}, | ||
} | ||
|
||
return wc, authInfo, nil | ||
} | ||
|
||
func New(tc credentials.TransportCredentials) credentials.TransportCredentials { | ||
return &optionalTLSCreds{TransportCredentials: tc} | ||
} | ||
|
||
type info struct { | ||
credentials.CommonAuthInfo | ||
} | ||
|
||
func (info) AuthType() string { | ||
return "insecure" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
/* | ||
Copyright 2019 The Vitess Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
package grpcoptionaltls | ||
|
||
import ( | ||
"context" | ||
"crypto/tls" | ||
"io/ioutil" | ||
"net" | ||
"os" | ||
"testing" | ||
"time" | ||
|
||
"google.golang.org/grpc" | ||
"google.golang.org/grpc/credentials" | ||
pb "google.golang.org/grpc/examples/helloworld/helloworld" | ||
|
||
"vitess.io/vitess/go/vt/tlstest" | ||
) | ||
|
||
// server is used to implement helloworld.GreeterServer. | ||
type server struct { | ||
pb.UnimplementedGreeterServer | ||
} | ||
|
||
// SayHello implements helloworld.GreeterServer | ||
func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) { | ||
return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil | ||
} | ||
|
||
func createUnstartedServer(creds credentials.TransportCredentials) *grpc.Server { | ||
s := grpc.NewServer(grpc.Creds(creds)) | ||
pb.RegisterGreeterServer(s, &server{}) | ||
return s | ||
} | ||
|
||
type testCredentials struct { | ||
client credentials.TransportCredentials | ||
server credentials.TransportCredentials | ||
} | ||
|
||
func createCredentials() (*testCredentials, error) { | ||
// Create a temporary directory. | ||
certDir, err := ioutil.TempDir("", "optionaltls_grpc_test") | ||
if err != nil { | ||
return nil, err | ||
} | ||
defer os.RemoveAll(certDir) | ||
|
||
certs := tlstest.CreateClientServerCertPairs(certDir) | ||
cert, err := tls.LoadX509KeyPair(certs.ServerCert, certs.ServerKey) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
clientCredentials, err := credentials.NewClientTLSFromFile(certs.ServerCA, certs.ServerName) | ||
if err != nil { | ||
return nil, err | ||
} | ||
tc := &testCredentials{ | ||
client: clientCredentials, | ||
server: credentials.NewServerTLSFromCert(&cert), | ||
} | ||
return tc, nil | ||
} | ||
|
||
func TestOptionalTLS(t *testing.T) { | ||
testCtx, testCancel := context.WithCancel(context.Background()) | ||
defer testCancel() | ||
|
||
tc, err := createCredentials() | ||
if err != nil { | ||
t.Fatalf("failed to create credentials %v", err) | ||
} | ||
|
||
lis, err := net.Listen("tcp", "") | ||
if err != nil { | ||
t.Fatalf("failed to listen %v", err) | ||
} | ||
defer lis.Close() | ||
addr := lis.Addr().String() | ||
|
||
srv := createUnstartedServer(New(tc.server)) | ||
go func() { | ||
srv.Serve(lis) | ||
}() | ||
defer srv.Stop() | ||
|
||
testFunc := func(t *testing.T, dialOpt grpc.DialOption) { | ||
ctx, cancel := context.WithTimeout(testCtx, 5*time.Second) | ||
defer cancel() | ||
conn, err := grpc.DialContext(ctx, addr, dialOpt) | ||
if err != nil { | ||
t.Fatalf("failed to connect to the server %v", err) | ||
} | ||
defer conn.Close() | ||
c := pb.NewGreeterClient(conn) | ||
resp, err := c.SayHello(ctx, &pb.HelloRequest{Name: "Vittes"}) | ||
if err != nil { | ||
t.Fatalf("could not greet: %v", err) | ||
} | ||
if resp.Message != "Hello Vittes" { | ||
t.Fatalf("unexpected reply %s", resp.Message) | ||
} | ||
} | ||
|
||
t.Run("Plain2TLS", func(t *testing.T) { | ||
for i := 0; i < 5; i += 1 { | ||
testFunc(t, grpc.WithInsecure()) | ||
} | ||
}) | ||
t.Run("TLS2TLS", func(t *testing.T) { | ||
for i := 0; i < 5; i += 1 { | ||
testFunc(t, grpc.WithTransportCredentials(tc.client)) | ||
} | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/* | ||
Copyright 2019 The Vitess Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
package grpcoptionaltls | ||
|
||
import "io" | ||
|
||
const TLSPeekedBytes = 6 | ||
|
||
func looksLikeTLS(bytes []byte) bool { | ||
if len(bytes) < TLSPeekedBytes { | ||
return false | ||
} | ||
// TLS starts as | ||
// 0: 0x16 - handshake protocol magic | ||
// 1: 0x03 - SSL version major | ||
// 2: 0x00 to 0x03 - SSL version minor (SSLv3 or TLS1.0 through TLS1.3) | ||
// 3-4: length (2 bytes) | ||
// 5: 0x01 - handshake type (ClientHello) | ||
// 6-8: handshake len (3 bytes), equals value from offset 3-4 minus 4 | ||
// HTTP2 initial frame bytes | ||
// https://tools.ietf.org/html/rfc7540#section-3.4 | ||
|
||
// Definitely not TLS | ||
if bytes[0] != 0x16 || bytes[1] != 0x03 || bytes[5] != 0x01 { | ||
return false | ||
} | ||
return true | ||
} | ||
|
||
// DetectTLS reads necessary number of bytes from io.Reader | ||
// returns result, bytes read from Reader and error | ||
// No matter if error happens or what flag value is | ||
// returned bytes should be checked | ||
func DetectTLS(r io.Reader) (bool, []byte, error) { | ||
var bytes = make([]byte, TLSPeekedBytes) | ||
if n, err := io.ReadFull(r, bytes); err != nil { | ||
return false, bytes[:n], err | ||
} | ||
return looksLikeTLS(bytes), bytes, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters